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Executive Summary 


On April 14, 2017, the Shadow Brokers Group released the 

FUZZBUNCH framework, an exploitation toolkit for Microsoft® Windows®. 
The toolkit was allegedly written by the Equation Group, a highly 
sophisticated threat actor suspected of being tied to the United States 
National Security Agency (NSA). 


‘The framework included EternalBlue, a remote kernel exploit originally targeting the Server 
‘Message Block (SMB) service on Microsoft Windows XP (Server 2003) and Microsoft Windows 7 
(Server 2008 R2) 


ln this paper, the RiskSense Cyber Security Research team analyzes how using wrong-sized CPU 
registers leads to a seemingly innocuous mathematical miscalculation. This causes a chain 
reaction domino effect ultimately culminating in code execution, making EternalBlue one of the 
‘most complex exploits ever written, 


We will discuss what was necessary to port the exploit to Microsoft Windows 10, and future 
mitigations Microsoft has already deployed, which can prevent vulnerabilities ofthis class 

{rom being exploited in the future. The FUZZBUNCH versian of the exploit contains an Address 
Space Layout Randomization (ASLR) bypass, and the Microsoft Windows 10 version required an 
additional Data Execution Prevention (DEP) bypass not needed in the original exploit. 


Finally, we will demonstrate how we stripped the exploit down to its essential parts to defeat 
detection rules previously recommended by numerous governments and antivirus vendors. 
This includes the addition of a stealthler payload which, unlike the original, does not use the 
DOUBLEPULSAR implant. 


Please note that this deep technical overview ofthe exploit process is provided to white 
‘hat information security researchers so that new generic and targeted techniques can be 
developed to prevent attacks. Overly meticulous details of te exploit process, such as math 
and alignment issues that would only be useful to attackers, have been omitted. Due to the 
sensitive nature ofthe exploit and ather time constraints, the source code will not be made 
available unt a later time. 
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Background 


The Shadow Brokers 


On August 13, 2016, 2 mysterious Twitter account’ for the 
‘Shadow Brokers hacking entity appeared, tweeting a PasteBin 
link to numerous news organizations, The link described the 
process for an auction to unlock an encrypted file that claimed 
to contain hacking tools belonging to the Equation Group. 


Dubbed in 2015 by Kaspersky Lab’, Equation Group are 
sophisticated exploit and malware authors believed to be part 
of the Office of Tallored Access Operations (TAO), a cyber 
Warfare intelligence-gathering unit of the United States National 
Security Agency (NSA). As a show of good faith by the Shadow 
Brokers, a second encrypted file and corresponding password 
Were released, with tools containing numerous exploits and even, 
zero-day vulnerabilities. Among the exploits made available was 
EXTRABACON, a remote code execution for Cisco ASA firewal 
Which the RiskSense Cyber Security Research team previously 
Improved upon.* 





(On April 14, 2017, the Shadow Brokers issued a message titled 
"Lost in Translation’ which leased the FUZZBUNCH framework, 
an exploitation tool similar tothe open-source Metasploit project 
‘The framework included a treasure trove of weaponized Microsoft 
Windows exploits and other malware. Among the exploits leaked 
was the EteralBiue exploit, which isa remote Microsoft Windows. 
kernelexploltthatargets theServer MessageBlock(SMB) protocol 


‘The FUZZBUNCH version of the EternalBiue exploit, which uses 
the DOUBLEPULSAR backdoor Implant as its primary payload, 
‘gained significant notoriety and infamy as they were the hacking 
tools chosen for the intemational WannaCry ransom worm attack 
‘that began on May 12, 2017. 


Weaponized FUZZBUNCH Exploit: 


Microsoft Windows MS17-010 Patch 


‘One month prior to the Shadow Brokers leak of Microsoft 
‘Windows exploits, Micrasoft rolled out a patch with the TechNet 
‘security bulletin MS17-010.* The MS17-O10 patch fixed the 
following vulnerabilities: 


It ie unclear which CVE is the vulnerability which EternalBive 
targets, However, Microsoft has stated CVE-2017-0146 and CVE 
2017-0147 are part ofthe ETERNALCHAMPION exploit” 


‘These vulnerabilities can be remediated through methods other 
than applying the patch, such as dleabling the SMBv1 protocol, 
‘Isolating vulnerable machines, not exposing SMB to the Internet, 
‘and the use ofan inline Intusion detection system (IDS). 
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‘The EternalBiue exploit in FUZZBUNCH is referred in many sources as the weaponized version ofthe exploit. Its weaponized in that it 
appears to be the development of a nation state (e.g, tis a cyber weapon). 
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‘There are several exceptional characteristics, which make EternalBlue a highly-advanced cyber weapon: 


It targets the Microsoft Windows operating system, which does not have publicly available source code 





> ILexpoits the kernel, which is prone to crashes, making research and development a slow process 
> Itisa remote exploit, meaning no local offset calculations can be performed 

> It sends malicious trafic via SMB, an esoteric and poorly documented network protocol 

> It simultaneously exploits both x86 and x64 CPU architectures 

> Itperforms pool grooming, a type of heap spray of kernel memory structures 


> Itcontains a bypass for Data Execution Prevention (DEP) 


> Itcontains a bypass for Address Space Layout Randomization (ASLA) 





Every exploit contains at least one trick, some stratagem or artifice to deliver its payload. The FUZZBUNCH EtemalBlue exploit 
point allegedly nicknamed EternalBlueSCREEN 


However, over the year twas clearly improved, and now thatit isin the hands of attackers and the open-source white hat community 








contains several of such tricks, The exploit started with modest potential, ato 





ithas been further tei 























Metasploit Module 


The Metasploit exploit module’ was written by the RiskSense 
Cyber Security Research team and completed on May 14, 
2017. The timing was unfortunate In that the culmination 
of research ended two days after the WannaCry attacks. AS 
such, there wete falge reports that the ransom worm “lifted 
code from the Metasploit module. Instead, WannaCry used a 
packet capture of the FUZZBUNCH exploit that was recorded 
for research purposes. 





The exploit module currently only targets Microsoft Windows 7 
‘and Micrasoft Server 2008 R2, which are thehighest versions that 
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the FUZZBUNCH exploit release can target. Plans to add offsets 
for newer versions of Microsoft Windows, euch as Microsoft 
Windows 10 and Microsoft Server 2012, have been discussed 
withinthe community Itwasdecidedthat Metasploitwouldaccept 
offeets for these versions a soan as they can be made available 


The Microsoft Windows 10 proof-of-concept analyzed in this 
document is nat yet part of the Metasploit module. RiskSense 
has no immediate plans to publish code for exploits outside of 
the scope ofthe original exp 











Bypass of IDS Rules 


The Metasploit module strips the exploit down to its essential, barebone components, By performing this task, RiskSense demonstrated 
that numerous intrusion detection system (\DS) patterns recommended by government agencies and antivirus vendors were Inadequate 
‘against potential future attacks. More robust rules could be created against the stripped-down exploit. 
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Removal of DOUBLEPULSAR 
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‘The Metasploit module also differs from the FUZZBUNCH explait in thatthe primary payload is custom-crafted ring 0 kernel shellcode, 
‘The new payload directly stages Metasploit collection of user-mode payloads; it does not use the DOUBLEPULSAR implant at all 


RiskSonse was the first organization to publish a detailed technical analysis ofthe DOUBLEPULSAR payload." * While DOUBLEPULSAR 
| an ingenious payload, it has insecure cryptographic practices relying on steganography that is now widely known, and thus Is not a 


suitable solution fora penetration testing tool such as Metasploit 


Vulnerability 


Early MS17-010 Research 

RiskSense Cyber Security Research analysts reviewed the 
MS17-010 patch shortly after its release, one month before the 
‘Shadow Brokers FUZZBUNCH leaks, as itis arate clreumstance 
{or multiple remote cade execution vulnerabilities to be patched 
at once. Reverse engineering determined that code paths for 
‘SMB traffic had been changed, resulting in error messages for 
Certain invalid operations being changed. 


Essentially, the patch inadvertently added an 
information disclosure that allows a remote 
uncredentialled attacker to determine if the patch 
has been installed 


‘One example of a new code path can be observed by connecting 
to the nter-Process Communicatlons (\PCS) tree and attempting 
‘an SMB NT Trans2 transaction on FID 0. Priar to the patch, 
‘machines will return the STATUS_INSUFF_SERVER_RESOURCES 
terror code. On a patched machine, additional authentication 
checks were added, meaning STATUS INVALID HANDLE or 
STATUS_ACCESS_DENIED will be given, depending on the 
version of Microsoft Windows being tested 


Due to the determined critical nature of the patch, RiskSense 
decided to release a free scanner for system administrators to 
assess their networks via the Metasploit project on March 29, 
2017, sixteen days before the Shadow Brokers leak on April 
14, 2017. This autliary scanner module, after the WannaCry 
attacks, became an extremely popular tool for defenders 
to use and has since been ported to Python"* and NMAP™ 


Memory Buffer Miscalculation 


‘The vulnerability that EteralBiue exploits le quite subtle, One 
‘could easily miss iif simply running a binary difing tool against 
a patched and unpatched Srv.sys driver. Srv.sys is where large 
Portions of the SMB protocol lives, as Microsoft has opted to 
‘do many networking tasks In the kernel, perhaps for addtional 
performance reasons (see also: HTTP.ys). 


‘On most versione of Microsoft Windows, there Is @ function 
named srviSrvOS2FeaListSizeToNt, which is used to calculate 
the size needed for a converting 05/2 Full Extended Attributes 
(FEA) List structures into the appropriate NT FEA structures. 
These structures are used to describe file characteristics. This 
calculation function snot presentin Microsoft Windows 10, asit 
has been inlined by the compiler. The vulnerability thus appears 
in srviSevOs2FeaListToNt, 





Figure 3: The root cause vulnerability for E 
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Essentially, an attacker-contrlled WORD value is subtracted 
here, however you will notice WORD-sized registers are used in 
the calculation, This buffer size le later used In a memepy” of 
‘memmove'* operation, depending on the Microsoft Windows 
version, both of which perform a copy of a memory from one 
location to another 


This mathematical miscalculation is easy to 
overlook, however such a small error leads to 
disastrously unintended consequences. The 
vulnerability is best classified as CWE-680: Integer 
Overflow to Buffer Overflow. 


‘Matthieu Suiche has suggested the following macro, available in 
clfsh header of Windows Drivers SDKs", may have been used: 





chddeesa, Value) \ 





‘The vulnerabiliy itself could potentially have been found through 
ether static code analysis, o identify the mathematical error, 
fr through fuzzing the SMB protocol and getting a lucky Blue 
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‘Screen of Death. However, turing a crash into a reliable exploit 
requires in-depth knowledge for many of Microsoft Windows 
‘undocumented kemel structures, implementation details, and 
the SMB protocol. 


The vulnerable code snippet is still present in versions of the 
'MS17-010 patch. There is a secondary mitigation that disallows 
‘SMBVI trafic from travelling the code path, effectively fing 
successful exploitation. This was done by adding additional 
‘checks in srviExecuteTransaction2" 


Origins 

The vulnerability itself appears to have been around for quite 
some time. RiskSense observed that the vulnerability is 
present in a base install of Windows 2000 without any service 
packs installed 


The Microsoft NT 4 source code was at one point leaked, and it 
is claimed the vulnerability le not present.” RiskSense did not 
look at the NT 4 source, but It is possible the vulnerability was 
introduced in a service pack for NT 4 


‘As the earliest FUZZBUNCH exploit targots Microsoft Windows 
XP (Server 2003), it can be argued this vulnerability was around 
for a numberof years before being discovered, 


| trash Microsoft Windows 2000 with an errr consistent for expatation 
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Exploit 


Target Version of Microsoft Windows 10 


For this exploit analysis and port, we target Microsoft Windows. 
10 x64 Version 1511, the November Update with the codename 
‘Threshold2. The build number is Microsoft Windows 10.0.10586, 
‘The MS17-010 patch, while available, is not installed. 


‘This version is the currently supported Current Branch for 
Business (CBB) version of Microsoft Windows 10. Our exploit 
uses information about offsets and structure originally reversed 
for Microsoft Server 2012 by Worawit Wang, to whom a 
tremendous debt of gratitude Is owed. 


This build of Microsoft Windows has firewall rules that prevent 
the SMB port from being open by default. However, with default 
settings for both enterprise domain and private home networks, 
the firewall allows the port to be accessed. The IPCS share also 
disallows anonymous logins. We do not consider these features 
to be significant exploit mitigations. 


For our analysis, we will ulize the WinDbg Kernel Mode Debugger, 
an official too rom Microsoft Corporation which contains symbols 
{or some, but not al ofthe kernel data structures being examined. 


Exploit Mitigations 
Unfortunatly, there are no working mitigations for Microsoft 
Windows Server 2003 (XP), Server 2008 (Vista/7), or Server 2012 
(8/8.1). While certain versions do have mitigations enabled, the 
ritgatons in place have straightforward workarounds: 





Microsoft Windows 10, however, receives exploit mitigations 
that previous versions of Microsoft Windows simply do not 
get. The last exploitable version with known workarounds is 
Threshold 2, which is still supported in the Current Branch for 
Business (CBB). If the machine hae the Redstone 1 update, 
Which wae publicly available in August 2076, randomization 
added to page table entries prevents the DEP bypass.» If the 
‘machine has the Redstone 2 update, introduced in April 2017 
(after the MS17-010 patch), the HAL heap is also randomized, 
ddofeating the ASLR bypass. 





Microsoft Server 20168 first release includes Redstone 1, 
‘meaning a path to successful exploitation is not currently known. 
However, itis stil simple to cause denial-of-service, and future 
DEP / ASLR bypassee may stil be discovered 
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Data Execution Prevention (DEP) 
Data Execution Prevention is an exploit mitigation designed 
so that even if an arbitrary memory-write primitive is obtained, 
hnjacking execution to the wite location wil not result in 
‘execution, There s a No eXecute (NX) bitin the page table entry 
‘that defines a memary locaton cannot be executed. Attempting 
to do so will result in a CPU exception, which wil be unhandled 
imkerel mode resulting in a system crash 


‘Address Space Layout Randomization (ASLR) 
A traditional avenue for DEP bypass Is code re-use attacks. A 
technique known as Return-Oriented Programming (ROP) was 
developed, in which execution flow is set by overflowing many 
return addresses containing small code snippets, or “gadgets”. 
There is mitigation, which generally defeats ROP attacks called 
Address Space Layout Randomization (ASLR). ASLR means that 
‘memory addresses are no longer static offsets that can be pre- 
determines. 


Network Traffic Analysis 


‘When FUZ2BUNCH was first released, simple packet analysis of 
the exploits network traffic was performed. The phenomenon of 
successful exploitation by replaying a recording of the exploit 
‘was observed. This means that every offset of the exploit can be 
pre-calculated; there is na secondary memory leak information 
disclosure being used to dynamically calculate exploit 
requirements. 


That stated, porting the exploit to a now version of Microsoft 
‘Windows (or writing the original exploit) is a tremendous task, 
Which requires precise setup. Structure offsets must be properly 
reverse engineered for essential functionality, as in many cases 
they mustbe setto appropriate values or face rejection to runtime 
checks (causing Blue Screen of Death). The integer overflow 
‘vulnerability must be calculated exactly, as other values rly on it 
and must be fied up throughout the course of the exploit. There 
‘can be no ambiguity and many kernel objects change drastically 
‘botwean the major versions of Microsoft Windows. 
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There are two main drivers in play which work in synergy 
With each other, being Srv-sys and Srvnet.sys. The vulnerable 
‘misealeulation and buffer overwrite will be performed because 
‘of actions in Srvsys. The code execution hijack will occur later 
In processing done by Srvnet.sys. A large nor-paged poo, with 
‘custom Srvnet.sys headers instead of poot headers, i where the 
‘memory corruption will happen. 








The exploit opens several bare minimum connections, added 
by a variable NumGrooms amount, Grooms are used to perform 
a type of heap spray attack of kemel pool memory, so that 
memory lines up correctly and overflow is controlled to a 
correct location. SMB drivers use large non-paged memory 
With its own structures for memory management of packets 
[24], By adjusting the amount of grooms against @ highly- 
fragmented pool, it ls more likely to enter a known state and 
fend up with 2 successful overwrite of desired structures. 





‘The connections used in the exploit are one of four basic types: 
‘an Overflow Socket, the Allocation Connection, the Free Hole 
Connection, and Groom Packets. 


Overflow Socket 
Thie isthe primary connection inthe exploit, and the size of the 
‘malicious 05/2 Full Extended Attributes (FEA) List i essentially 
present as an attacker-controlled value. This socket connects to 
the IPCS tree and begins an NT Trans request of a large FEA List 
This large FEA List is sent through as many NT Trans2 secondary 
requests that are required, depending on size. These packets 
canbe filed with gibberish, until the last NT Trane2 packet which 
ccontaine data that will overwrite the headets of a Groom Packet, 
connection. 





‘The final packet is deferred until all pool grooming is completed, 
26 It exists in a diferent pool untl the transaction is complete. 
‘The final request should return the status code error STATUS 
INVALID_PARAMETER if everything goes well. This means the 
vulnerable cade path was successfully travelled 





Groom Packets 
Groom packets ate several connections that are opened by a 
Variable amount set by the attacker. The purpose af grooming 
| to achieve contiguous kernel pool memory so that buffer 
‘overwrite ends up in the desired location~as in the headers 
fof one of these groom packets’ internal driver implementation 
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structs, Exploit fallures, where an overwrite occurs in a location 
that isnot a groom packet internal struct, do not generally result 
inva crash, but occurs fairy regularly when grooming is unable to 
properly achieve contiguous memory. This is usually observed 
when the pool is highly fragmented, especially after multiple 
‘exploitation attempts, 


The NumGrooms amount is used after an allocation connection 
Is opened, and six additional grooms are sent after a hole 
‘connection is opened and the allocation connection is closed, 
‘Groom packets also have the job of holding the exploit payload, 
Which is sent after the overflow condition packet hae been 
received and acknowledged by the server. 


‘Groom packets in the original exploit appear tobe SMB2 packets, 
‘but are otherwise completely invalid and perhaps only have 
the SMB2 header to defeat detection rules. The SMB2 header 
“magle" value can in practice be written with anything 


Allocation Connection 
The allocation connection is simply used to create a large 
allocation on the server, to reserve a buffer af thats significantly 
smaller than the overwrite packet, so that when it Is freed the 
Overflow Socket does not end up in its place. This connection 
1s used to fila slot that will have tralling pool headers, which if 
‘overwritten would be hard to forge and likely result in a crash 
The allocation must be smaller than the final Overflow Socket 
FEA List, 60 that it will go into the Free Hole Connection and 
‘not occupy this memory. The allocation connection is opened 
directly before the NumGroome amount of groom packetheaders 
are sent. The hole connection is then opened, and the allocation 
‘connection is closed. 





Free Hole Connection 
‘After the NumGrooms amount af groom packet headers are sent, 
the hole connection is opened. This buffer is vitally the same 
‘size ae the expected size of the overflowing buffer, with minor 
adjustment to make things line up, At the last second, this Free 
Hole will be closed so that it can be quickly replaced with the 
‘overflowing butfer, who believes there is enough space to use 
here, but miscaleulates how much data to copy. It Is expected 
that a non- paged pool allocation with pool headers will not 
bbe adjacent to the hole connection because of the previous 
allocation connection. The headers for this will be overwritten 
‘when the last fragment of the overflow socket is sent. 





* hit /fog tendmicre com/tvendlabs secur nteligence/ms17 010 
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FEA and Kernel Structures 
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Several kernel structures are overwritten or otherwise used during the exploit. Many of these structures are undocumented, and must 
be reverse engineered. This process is performed by looking at function calls that are used during normal execution in the attempt to 


determine what types exist at certain offsets 


‘SMB_FEA 


‘A Full Extended Attribute ls generally used to describe the characteristics of a file. One of SMB& primary functions is to serve as a file 
share, and the dated SMBV1 protocol has support for many opcodes. According to MSDN: “The SMB_FEA data structure Is used in 
‘Transaction? subcommands and in the NT_TRANSACT_CREATE subcommand to encode an extended attribute (EA) name/value pat’ 


typedef struct si PEA, 
‘ 


CHAR ExtendedntteiiutePiags 
CHAR ActesbuteHameLengthtnBytes; 
usuoRE ALtesbuteValueLengtniauytes; 
CHAR ACteibuteHane|Atzributetlanclengthinytes + 1); 
CHAR ACtrLbuteValue| ArEribuceValueLengthnvytes |; 


7} suman, +Psum yea; 


‘SMB_FEALIST 
AFEA Lists simply many contiguous SMB_FEA. This is another 
documented structure on MSDN* A malicious SMB_FEA LIST 
| the structure that Is sent in the Overflow Socket, which le 
‘miscalculated while being converted into an internal NT FEA List 
structure. 


rypedef seruct suo rna Lise 
‘ 
LONG sizeortsstinaytes; 
UcuaR FEALSSE(1; 
) SMa Pea Ltsn, «Psu uA Ls) 


‘SRVNET_BUFFER_ HDR 
This is the actual stueture that will be overwritten during the 
‘out of bound memory copy caused by the original vulnerability 
‘miscalculation. Thie contains buffer metadata that ls appended 
to the real buffer af an SMB packet allocation. 


‘Oneof the mostimportant aspects ofthis structures the Memory 
Deseriptor List PMDL (offset 0x38), which allows placing the 
fake PSRVNETRECY struct pointed to by pSrvNetWekStruct 
(offsot 0x88) into a desired memory location. 





 htips://mada meroeoft com/en s/lbrary/e091551S aspx 
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‘Memory Descriptor Lists are a kernel structure that descr 
MDL in packet metadata essentially causes the TCP stack to perform an arbitrary write-what-where, a common primitive used in 
exploitation, when data is sent tothe connection. This structure is exported by NTDLL, and thus we ean query the det 
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We essentially need to set this up inthe overwritten packet withthe bytes that would equal the same pseudocode seen below: 


SIZE nsentaytes = 0x76; 
‘evoID prargetioe = OxfEEE.7 


wou edt = (04 


maLtext = SUL // the Ase entry shoutd not point anywhere 


mdi. Sise ~ 0460; 


md1.MalELags ~ MDL QETWORK HEADER | MDL SOURCE_16 WOMPAGED POOL; // oxt00d 


mdl.Process ~ MULL; 


dl .Wappedsystena ~ ptargettoc — ngentaytes; 


‘SRVNET_RECV 


‘This is the structure that is writen with the wrte-what-wiere primitive, Once the corrupted connection is closed, tis is used by Sevnet. 
4y$ to call the handler function, which points to the shelleode address, 


sypedet atevct _SkVIET_AECY ( 
NYTE. unkown (04507 
[PESPIN_LOCK spintock; 
asm mira ise; 
‘BYTE unknownl[0xa0}7 
VOID *spllandiece; 
‘WORD qwnknown2s 
(QWoRD qvoverveitesizes 
lionD quiminown 
RD dvUsknownds 
hoRD dvinvoketades 
BYTE unknowns Ox0]7 


// original stzuet ends 
foboRD qurunenrguments 


VOID HandLerFunction; 
1) saywer_ancy, -psnmer macys 
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1/ 0350 tock $a acqutzed during processing 
11 Qx58 SLink and BLinX point to sele 


// qx110 pointer to handler table 


// 0118 aot to pre-calculated overwrite anount 


11 ox132 wet to 3 


// set to saneticade 
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SMB Exploitation Sequence 


‘Memory Descriptor Lists are a kernel structure that describe The four types of connections must be sent in the proper order, so that pool 
‘memory i properly groomed. Performing these actions out of sequence can lead to overwrite occurring inthe improper location, which 
later could lead to an unhandled kernel exception, meaning the system will crash, 
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Execution Chain of Events 
‘The following i a high-level chain of events that allow the buffer overflow to achieve reliable code execull 





1. Ittargts the Microsoft Windows operating system, which does not have publicly avallable source code 
2. It expolts the kernel, which is prone to crashes, making research and development a slow process 

3. It ls a remote exploit, meaning no local offet calculations can be performed 

4. It sends malicious trafic va SMB, an esoteric and poorly documented network protocol 

5. It simultaneously exploits both x86 and x64 CPU architectures 

6. performs poo! grooming, ype of heap spray af kernel memory structures 


7. teontains a bypass for Data Execution Prevention (DEP) 


Portions of the basic sequence are repeated, once for the DEP bypass MDL, and again for the SRVNT_RECV MDL, which causes code 
‘execution. These can be triggered in sync in all testing and there does not appear to be a race condition with the write orders. 





Inthe kernel called the HAL Heap, which is used by the Hardware Abstraction Layer. Until Micrasoft Windows 10 Redatone 2 (April 2017), 
Which randomizes the HAL Heap location’, this region can be located at Oxftfffrfd0 





(On Microsoft Server 2008 2 the latest version exploited by FUZZBUNCH, the HAL He 
reason, a DEP bypass was nat necessary forthe original exploit as It was already "built 


has both write and execute permissions. For this 
to the ASLR bypass. 








‘The region is known to store important structures such as the HalplnterruptControllr, which isa table of function pointers that perform 
critical operations, so exploits should be careful in choosing where to perform the arbitrary write, 





bits /labs buefrostsecurty de/blog/2017/05/11Jvindows-10-hals heap extinction ofthe halbinteruptcontoller able explotationtechniauel 
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DEP Bypass 
Starting sometime in Microsoft Windows /8.1 (Server 2012), the HAL Heap became non-executable. A virtual memory Page Table Entry 

(CPU ring mode, a dirty bit, and starting with the 
68. Ifthe NX bits tempt to move the ins 





TE) contains infor 





jon about a memory location, such as base physical addr: 








Introduction of hardware-enforced DEP, a No eXecute (NX) bit a off and we 


er tothe page, aketnel panic will prevent the explotatian. 





lon 





Tay pte FDL 





TEs until Microsoft 
jan, and ean be pre-caleulated.* Disabling the bit will 


The remot 
Windows 10 R 
‘mark the page as executable. 


bypass for DEP used is a technique which can be used to have the MDL write a 0 into the NX bi 








stone 1 (August 2016), lke HAL Heap, are in a fixed, static loc 





@: a> hae 1 oxtttt tort teKoy 
*(oxtH¥fotttfes0") 


EEEETORPrerrcoOn] 











aiskseNnse 


We can confirm thatthe overwrite is cuccessful, as the debugger afterwards informs us that the memory is marked as executable. 





Bs gee eee FravIeg Kbit 





Hijacking Code Execution 
‘After the DEP bypass is complete, we can overwrite the Gr 
points to th table. We send the fake 
tose the MDL to wite tothe preset location In the HAL Heap. 


om buffer again with a new SRVNET_BUFFER_HDR containing an MDL that 


WVNET_RECV struct and shelleade which causes the TCP stack 








location we just marked 








0: ké> base 1 SFFFEEEE #2101000 + 0x09 


m1 
428248 bp 1139/05 
agonsadee3 r10-FFF S014 
of 


epDeli 
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We can query the preset addr lcode to. We observe that 


shelleode and structure a 





1 forthe MDL to write the fake SRVNT_RECY structure and 
e present and the offeets are in the proper locations. With proper setup, the handler function 








inting to the 





payload will be called wi 





0x50 = KSPIN_LOCK, 
x58 = LIST_ENTRY 
(Flin and Blink point t 


(0x210 = tnptrslJ (points to Oxt0) 
018150 

transportHeader[80] // 0x50 

bufferfreqtpad] //0x8100 


ox110 ="(Hnptrstb, 
ons 





Setting a breakpoint at the start of the payload shelleode (interrupt 2, of "\xce"), one can see the call stack when code execution 





is transfered 





Payload 


Overview of Operation 


RiskSense previously documented the DOUBLEPULSAR implant 
‘used inthe original exploit." The problem with DOUBLEPULSAR 
|e that it snot a cryptographicaly secure payload; it opens an 
Insecure backdoor which anyone can come along and use to 
load secondary malware 


in our improved payload, an Asynchronous Procedure Call 
(APC) is queued directly to cause normal Metasploit user-mode 
payloads to be executed without requiring the backdoor. An APC. 
ean "borrow" a process thread that isin an Idle Alertable state, 
‘and while it relies on structures whose offeats change between 
versions of Microsoft Windows, It is one of the most reliable 
and easiest ways to exit kemel mode and enter user mode. 
Kernel shellcode techniques were gleaned from the Uninformed 
JournaP® and the DOUBLEPULSAR DLL injection payload.” 


‘The shelleode for Microsoft Windows 101s similar tothe code for 
Microsoft Windows 7 (Server 2008 R2), presentin the ternalBlue 


edmte 


movabs she, Osfecceeseeedooees —; 
avord [rbxiOxd|, ede : 

word (bal, eae 

‘tax, [zel x64 syscall hander] 7 








Emulate a SYSCALL 
Emulating a system call is simple enough to do, and code can 
mostly be directly copied from ntikisystemCall64, Essentially 
the GS segment register needs to be swapped from user to 
keerel, all registers need to be saved, and intecupts need to be 
resumed, Once thisis done, the shellcode can cal the third stage 
‘which will queue the APC. When the third stage completes, clear 
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Metasploit module* Many of the structures necessary have 
offsets which change between major versions, however WinDbg 
thas symbols available for them s0 this Is not a tedious task. 


From a high level, here is the sequence of operations that the 
payload must take care of after the code execution hijack as 
‘occurred, 


Hook the SYSCALL Handler 
The first task the payload must perform Isto hook a new system 
call handler, which will point to stage two. This is because we 
ate executing at an undesired Intecupt Request Level (IRQL) 
[At the current level, the dreaded DISPATCH LEVEL, Interrupts 
are disabled, and we cannot use nifty features such as paged 
‘memory, which we will need to copy the user-mode payload into. 
Thus, itis necessary to have the second stage of shelleode called 
Ina process context go that more kernel functionality is avaiable. 


ya32_Lsran syseal Mea 








ye eld ayacall hander 


loed relative address to 2nd atage 


‘che syscall handier caliovs his stub 


Interrupts, restore registers, and jump the instruction pointer to 
the real system call address. 


The original system call handler MSR should also be restored 
a goon as possible, to prevent a bug check from Kernel Patch 
Protection (PatchGuard). 








tm Juninfoumed ore Ba ABtat 
* httns//counteroet com /ourhinking/anayzina-theoublepulsar sere! injection technauel 
© tne Zot cmap metacpio amevinvilbih master/erternalanurre/shelee acc komad 
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Locate NTOSKRNL.exe Base Address 
‘Now that Interrupts are enabled in the thd stage, the payload 
can finally use the necessary APIs to queue the APC. The 
nloskmn.exe Portable Executable (PE) headers must be found 
0 that function export addresses can be located. These can be 
looked up with a hash function ike user-mode shellcode often 
uses for Kernel32.dl 


} this stub loads acoskent exe neo ris 
xS4_find nt_idts 

oy 215, qvord (38:0338] 

oy 215, qvord [15 1 0x4) 


_xS4_Sind_nt_Sat_ yal panes 
oy zai, qvord [215] 

emp si, oebaé 

Gre _x64_¢ind_ot_tat_velk pose 





Dynamically Calculate ETHREAD ThreadListéntry 
|norder to support multiple service packs, the offset to ETHREAD, 
ThreadListEntry should be found dynamically. This ean be done 
With the following steps: 
+ Cal nlGetCurrentProcess to get the PEPROCESS- 
>ThreadListHead 
+ Call nlGetCurrentThread to get the current thread 
‘+ Walk the current process thread list until the address is 
found within a defined delta offset 


Find a Target SYSTEM Process 
‘The next step i to loop aver PIDs calling nttPsLaokupProcessByld 
and nitPsGetProcessimageFileName until a desired process to 
Inject into is found. Generally, this should be a SYSTEM process, 
such as Isass.exe, of, more safely, epoolsv.exe. 


Searching PIDs can be done in multiples of 4, and the desired 
SYSTEM processes are usually in the lower range. Care should 
be taken to ensure the loop does not go on infinitely Ifa desired 
process cannot be found. 
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Luckly there is tick which can be used here to again bypass 
ASLR. Locate the interrupt Descriptor Table (1DT) from the Kernel 
Processor Control Region (KPCR), and traverses backwards from 
the first Interrupt Service Routine (ISR) handler to find ntoskrn 
‘exe base address, 


1 get Idenase of HecR 
1 get TGR addcans 
1 atzip to page size 


1} atk along page aie 


1 ME" header 


Copy User-mode Shellcode to Target Process 
In order to call ntZwAllocateVirtualMemory, the shellcode must 
first call ntKeStackAttachProcess to attach to the process 
virtual address space. This needs to later be followed up with 
rtikeUnstackDetachProcess during the final cleanup phase or 
strange errs and crashes can occur 


‘Memory should be allocated with PAGE_EXECUTE READWRITE 


permissions. A simple rep mvs instruction ean be used to perform 
‘the memory copy 


Page 17 


Find an Alertable Thread 
‘A thread needs to be “alertabe” in order to queue an APC. Again, 
Walk the PEPROCESS=ThreadListHead, searching for threads 
hich satisfy the fllowing conditions: 
+ Thread Environment Block (TEB) Is not NULL 
+ TEB.ActivationContextStackPointer is not NULL (wil eause 
crash after APC execution) 
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+ The Sth bit of the ETHREAD Alertable offeet should be set. 
This i simply a bool packed into-a bit 


Create and Queue APC 
‘An executable, non-paged pool should be allocated using 
‘tlExAllocatePool to hold the APC structure. The APC structure 
‘needs a dummy kernel-mode APC function, which ean be set to 
simply rt. The callo ntKelitializeApe should be formed as such 


wetnitialsseape( 


ox = ApoPootAddr, 
ax = pthosenthread, 
i= WULL = OriginaiAapcenyizonsens, 


£9 = Kernelapcnoutine, 
MULE /* Hundovanourine */, 


wa 








MULE /+ content +/)3 


‘The APC can then be passed to ntKelnsertQueueApe with NULL 
arguments. The user-mode payload will now be scheduled for 
execution 


Perform Cleanup 
Perform a call to ntIKeUnstackDetachProcess to leave the target, 
process virtual memory space. A call to nt!ObDereferenceObject, 
‘nthe target EPROCESS Ie also needed. If the process crashes 
and there ae still references, twill nt cleanly exit and linger in 
memory 


User Mode Tasks 
‘Since the APC thread in user-mode Is being temporarily borrowed 
from an Alertable thread, the starting stage of the user-mode 
payload should make a call to kernel32ICreateThread. Well 
known user mode techniques can now be utlized, such as 
‘acquiring the Process Environment Block (PEB) from the GS 
register and searching the Loader Data structure (PEB_LDR_ 
DATA) for Kesnel32.dll. The start location of the new thread 
should be the actual desired user-mode payload. In the case of 
“Metasplolt, this is generally Meterpreter stager 


‘Summary of Improvements 


Much like the payload used by the alleged Equation Group 
‘exploit EXTRABACON, the EternalBlue payload had room for 
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‘some improvements. it ean only be fairly compared against 
the DOUBLEPULSAR DLL injection payload, which performs a 
similar task. 


The EternalBiue exploit in this setup only allows a payload of 
14096 bytes. There may be numerous tricks avallable to stage 
larger kernel payloads, but this amount of space Is more than 
‘sufficient for using a two-stage Meterpreter payload. The kernel 
payload for the Metasploit module is around 1000 bytes, plus the 
size of the user-mode payload. The DOUBLEPULSAR payload is. 
around 8000 bytes, plus the size ofthe user-mode payload. 





The reduction in shellcade size, to about 20% of the original size, 
‘was possible with the following optimizations: 


+ Use of x86 registers over x64 where possible (avoid REX 
prefix bytes) 


+ Removal of NOPs In shadow stack (such as add rep, 20 
directly followed by sub rsp, 20) 


+ Direct hash API calls, instead of stored API pointers 
+ Removal of safety checks deemed unnecessary 


+ Handwritten assembly over what appeared to be 
compiler output 
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Conclusion 


EtemalBlue has many moving parts and can be a confusing 
exploit to follow. There were scarce, but excellent prlor works 
that have described the integer overflow to buffer overfiow 
process "#2 We have bulltupon this information by describing 
the methodology for the instruction painter hijack and staging 
fof the final payload, which are Important points of study to 
thoroughly understand thie complicated exploit. 


‘The RiskSense Cyber Security Research team slowly dissected 
the original exploit, discovering parts of the data that were 
deemed unnecessary for exploitation. By removing superfluous 
fragments in network packets, out research makes it possible 
to detect all potential future variants of the explolt before a 
stripped-down version is used inthe wild. We also substantiated 
the premise that the original exploits DOUBLEPULSAR payload 
ls a red herting for defenders to focus on, as stealthier payload 
‘mechanisms can be crafted. 





This research confirms that porting the original exploit to 
more versions of Microsoft Windows, while dlificu, i= not 
‘an impossible feat. Port to virtually all vulnerable Microsoft 
Windows versions that use the NT kernel le possible, apart from 
the key defenses recently made availabe in the bleeding-edge 


RISKSENS= 


versions of Microsoft Windows 10. Redstone 1 (August 2016) 
and Redstone 2 (April 2017) introduce mitgations such as the 
Page Table Entry and HAL Heap randomizations, which will help, 
protect users against future exploits of this class. 


‘The EternalBlue exploit is highly dangerous in that 
it can provide instant, remote, and unauthenticated 
access to almost any unpatched Microsoft Windows 
system, which is one of the most widely used 
operating systems in existence for both the home 

and business world, 

The vulnerabilities fied in the MS17-010 patch, lke the 
‘unwavering MSO8-067 vulnerability before i, will continue to be 
‘exploited by black-hat criminal organizations, white-hat security 


researchers and penetration testers, and many nation-states for 
presumably a decade to come. 





‘Only by analyzing the toots that are available to malicious actors 
‘can the wider information security community build proper 
protections and security measures 


RiskSense is dedicated to helping build a more secure digital world, and it is our sincere hope that this work will 


serve ant 





irus vendors, intrusion detection system rule authors, and other types of defenders to help understand 


‘the exploitation process so that future attacks can be prevented 


About RiskSense 


RiskSense is disrupting the oyber risk market with a Software- 
as-a-Service based platform that uses domain expertise and 
data in ways that are beyond human cognition to correlate your 
Vulnerability data with threat intelligence and business impact, 
to measure risk, provide early warning of weaponization, predict 
attacks and prioritize remediation. We are empowering our 
customers to reduce vulnerability fatigue, improve efficiency and 
‘quantify risk based on diagnostic and operational data 


‘The RiskSense platform embodies the expertise and intimate 


knowledge gained from real world experience in defending critical 
networks from the world’s most dangerous eyber adversaries. 
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‘As part ofa team that collaborated with the U.S. Department of 
Defense and U.S. Intelligence Community, RiskSense founders 
‘developed Computational Analysis of Cyber Terrorism against 
the US. (CACTUS), Support Vectors Intrusion Detection, 
Behavior Risk Analysis of Vicious Executables (BRAVE), and 
the Strike Team Program. By leveraging RiskSense cyber risk 
‘management solutions, organizations can significantly shorten 
time-to-remediation, increase operational efficiency, strengthen 
thelr security programs, improve cyber hygiene, heighten 
response readiness, reduce costs, and ultimately minimize cyber 
‘sks. For more information, please visit wwrw.risksense.com or 
{ollow us on Twitter at @RiskSense. 
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